Dorkbot Rears its Malicious Head on Facebook

If your enterprise and/or employees use Facebook, then watch out: Dorkbot is back in town. Thanks to the researchers at Bitdefender for spotting this one, and the reporters at CSO for helping sound the alarm.

Dorkbot – which the folks at Facebook have since worked to remove from their site – spreads via a botnet that sends a malicious link to a Facebook user’s friends through the platform’s Internet Relay Chat protocol. The link is made to look like an ordinary image file. However, once clicked, the malware downloads.

Once embedded inside a victim’s system, Dorkbot scans browsing activity and attempts to steal passwords and other credentials. It also has the potential to:

• hijack computers and use them in DDoS attacks
• prevent anti-virus software from running security updates
• download additional malware from the C2 (Command and Control) server for SPAM and ransomware

Dorkbot certainly isn’t the first malware to spread via Facebook. A year ago, we discovered that Kelihos.B was taking the same “social” route.

The first version of Dorkbot made an appearance way back in 2003, and throughout the last decade it has attempted to wreak havoc via various IM clients, including Yahoo Messenger, Pidgin and Xchat. This latest iteration is different, because it exploited a flaw on the file-sharing website MediaFire to spread.

The total damage hasn’t yet been audited, but Bitdefender said that as of Monday, it had documented 9,000 malicious links to Dorkbot. The security company also applauded Facebook – and we at Seculert join them – for responding promptly and start wiping out the malware activity from their website within a day of being notified.